Container Violation = Container depth limit exceeded - Error in scan engine logs.
|Article:TECH94102|||||Created: 2009-01-20|||||Updated: 2009-01-05|||||Article URL http://www.symantec.com/docs/TECH94102|
The scan engine log has an entry stating Container Violation = Container depth limit exceeded, you want to know what to do.
A container violation has been logged with the error as stated, files are being blocked or deleted on the basis of the verdict.
The option under Policies | Filtering | Container Handling | maximum extract depth of file meets or exceeds [ X ] levels, where X is a value greater than 0, is set too low for the environment.
The value needs to be increased to a value that fits with the day to day activities of the environment in question, a good base value for this is to set it to 10 levels as this will allow a reasonable amount of file nesting within containers.
It is good to know that the reason for the container limit is primarily to stop attacks such as a "zip of death" or "zip bomb" denial of service type attacks.
The log entry which appears should be similar to the following:
A container violation has been found
Date/time of event = 2009-05-20 10:01:03
Event Severity Level = Warning
File name = \\
File status = NOT REPAIRED
Component name = *.PPT/PowerPoint Document
Component disposition = NOT REPAIRED
Container Violation = Container depth limit exceeded
Client IP = 127.0.0.1
Scan Duration (sec) = 0.578
Connect Duration (sec) = 0.594
Article URL http://www.symantec.com/docs/TECH94102